projects / mirror / dsa-puppet.git / blob
? search:


1481f30f0a6a1d0f59e3da704016a7aa57a11b03
[mirror/dsa-puppet.git] / modules / named / manifests / init.pp
1 class named {
2         munin::check { 'bind': }
3
4         package { 'bind9':
5                 ensure => installed
6         }
7
8         service { 'bind9':
9                 ensure => running,
10         }
11
12         @ferm::rule { '00-dsa-bind-no-ddos-any':
13                 domain      => '(ip ip6)',
14                 description => 'Allow nameserver access',
15                 rule        => 'proto udp dport 53 mod string from 32 to 64 algo bm hex-string \'|0000ff0001|\' jump DROP'
16         }
17
18         if has_role('dns_primary') {
19                 @ferm::rule { '01-dsa-bind-4':
20                         domain      => '(ip)',
21                         description => 'Allow nameserver access',
22                         rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_GEO_V4 $HOST_NAGIOS_V4 $HOST_RCODE0_V4 $HOST_EASYDNS_V4 $HOST_NETNOD_V4 ) )',
23                 }
24                 @ferm::rule { '01-dsa-bind-6':
25                         domain      => '(ip6)',
26                         description => 'Allow nameserver access',
27                         rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_GEO_V6 $HOST_NAGIOS_V6 $HOST_RCODE0_V6 $HOST_NETNOD_V6 ) )',
28                 }
29         } else {
30                 @ferm::rule { '01-dsa-bind':
31                         domain      => '(ip ip6)',
32                         description => 'Allow nameserver access',
33                         rule        => '&TCP_UDP_SERVICE(53)'
34                 }
35         }
36
37         @ferm::rule { 'dsa-bind-notrack':
38                 domain      => '(ip ip6)',
39                 description => 'NOTRACK for nameserver traffic',
40                 table       => 'raw',
41                 chain       => 'PREROUTING',
42                 rule        => 'proto (tcp udp) dport 53 jump NOTRACK'
43         }
44
45         @ferm::rule { 'dsa-bind-notrack-out':
46                 domain      => '(ip ip6)',
47                 description => 'NOTRACK for nameserver traffic',
48                 table       => 'raw',
49                 chain       => 'OUTPUT',
50                 rule        => 'proto (tcp udp) sport 53 jump NOTRACK'
51         }
52
53         file { '/var/log/bind9':
54                 ensure => directory,
55                 owner  => bind,
56                 group  => bind,
57                 mode   => '0775',
58         }
59
60         file { '/etc/bind/named.conf.puppet-shared-keys':
61                 mode    => '0640',
62                 content => template('named/named.conf.puppet-shared-keys.erb'),
63                 owner   => root,
64                 group   => bind,
65                 notify  => Service['bind9'],
66         }
67 }
Unnamed repository; edit this file 'description' to name the repository.